How to Enable BitLocker Drive Encryption in Windows 11

The Problem

A stolen laptop with an unencrypted SSD is trivial to read—pull the drive, plug it into another PC, copy everything. BitLocker scrambles the whole volume so Windows only boots when the key is available (TPM + PIN, password, or recovery key). Home users on Windows 11 Home get Device encryption instead on many OEM PCs; this guide focuses on BitLocker in Pro/Enterprise/Education.

Before You Start

• Windows 11 Pro, Enterprise, or Education (Home: check Settings → Privacy & security → Device encryption toggle).
• TPM 2.0 enabled (most Windows 11 PCs already are—see enable TPM for upgrade if BIOS disabled it).
• Save the recovery key somewhere that is not only on the encrypted drive (Microsoft account, printout, employer portal).

The Fix: Encrypt the System Drive (C:)

Step 1: Open BitLocker Settings

1. Settings → Privacy & security → Device encryption, or search Manage BitLocker.
2. Or: Win + R → control /name Microsoft.BitLockerDriveEncryption.

Step 2: Turn On BitLocker for C:

1. Click C: → Turn on BitLocker.
2. When prompted to save the recovery key, pick Save to your Microsoft account (personal PCs) or Save to a file on a USB stick you will store safely—not on C: itself.
3. Choose how to unlock at startup:
   • TPM only — seamless boot on trusted hardware (common on laptops).
   • TPM + PIN — stronger; you enter a PIN at boot.
   • Password — used more on PCs without TPM.

Step 3: Choose Encryption Mode

• New encryption mode — faster on modern SSDs (AES-XTS).
• Compatible mode — only if you dual-boot older Windows or move the drive to odd hardware.

Step 4: Run the Encryption

Choose Encrypt used disk space only for faster first run on a PC already in use, or Encrypt entire drive for new installs. Click Start encrypting—the PC remains usable; expect hours on large HDDs, less on SSDs.

Encrypt a USB or External Drive

1. Insert the drive → File Explorer → right-click the drive → Turn on BitLocker.
2. Use a password or smart card (password is typical for USB sticks).
3. Save the recovery key the same way as for C:.

Recovery Key: Do Not Lose It

• View keys: https://account.microsoft.com/devices/recoverykey (signed in with the same Microsoft account).
• After firmware/BIOS changes, Windows may ask for the 48-digit recovery key at boot—normal behavior.

Keep keys and passwords together: after encrypting drives, an offline manager like Sentinel Vault lets you manage credentials in an offline vault—recovery keys and logins encrypted, no cloud account required.

Suspend BitLocker for BIOS or Hardware Changes

Manage BitLocker → Suspend protection before motherboard swaps or major firmware updates, then Resume after booting successfully once.

BitLocker vs Selling the PC

Encryption protects data in use; selling the machine still needs a full wipe—follow wipe a PC before selling and turn off BitLocker or let the reset remove keys as part of a factory reset.